Accounting using Syslog

Keep track of all executed commands on a Cisco devices is one of the mandatory features for network engineer to ensure deep accounting and advanced monitoring about their networks.

This task is usualy accomplished by deploying Tacacs+ Server and enabling AAA new-model. However, in this post we will demonstrate another way to get slightly the same result with all details about executed commands, in which configuration mode, at what time, by which user, and returning results (if it is a show command for example).

• Basic Configuration :

Router#conf t
Router(config)#archive
Router(config-archive)#log config
Router(config-archive-log-cfg)#logging enable
Router(config-archive-log-cfg)#logging size 1000
Router(config-archive-log-cfg)#hidekeys

All executed commands will be stored locally in the device. What can be seen using “show archive log config all” command

Router#sh archive log config all

idx   sess           [email protected]      Logged command
1      1            [email protected]     |interface FastEthernet0/24
2      1            [email protected]     | description Connection_to_Internet
3      1            [email protected]     | no shutdown

The log file has a limited size and its content can be deleted. The reason why it is recommanded to send notifications to a syslog server about each information.

!
Router(config)#logging host 172.16.254.1
Router(config)#archive
Router(config-archive)#log config
Router(config-archive-log-cfg)#notify syslog
!

Useful Links:

• Link-1